Vulnerability Description
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Miniorange | Active Directory Integration \/ Ldap Integration | <= 4.1.10 |
Related Weaknesses (CWE)
References
- https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-oExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2973005/ldap-login-for-intranet-sit
- https://wordpress.org/plugins/ldap-login-for-intranet-sites/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0585969d-dd08-4058-9d7Third Party Advisory
- https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-oExploitThird Party Advisory
- https://wordpress.org/plugins/ldap-login-for-intranet-sites/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0585969d-dd08-4058-9d7Third Party Advisory
FAQ
What is CVE-2023-4506?
CVE-2023-4506 is a vulnerability with a CVSS score of 2.2 (LOW). The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing t...
How severe is CVE-2023-4506?
CVE-2023-4506 has been rated LOW with a CVSS base score of 2.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-4506?
Check the references section above for vendor advisories and patch information. Affected products include: Miniorange Active Directory Integration \/ Ldap Integration.